HPE Community
HPE OneView
1821052 Members
2227 Online
109631 Solutions
New Discussion юеВ

Re: Pentest findng regarding old jquery version on OneView 9.3

 
ThomasSch1
Occasional Advisor

3 weeks ago - last edited 3 weeks ago by

3 weeks ago - last edited 3 weeks ago by

Pentest findng regarding old jquery version on OneView 9.3

Hi all,

we currently have a pentest finding regarding the used jquery version. The web application of oneview uses version 1.12.4 which does have several known vulnerabilities, including susceptibility to Cross-Site Scripting (XSS) attacks.

Is there any chance to update the library by itself, though it is not recommended or is there a fix with a newer version planned in the future? There has been a release of oneview version 9.4 but I cannot find any information to whether the version of jquery has been updated.

 

Thanks in advance.

Thomas

0 Kudos
Reply
6 REPLIES 6
ChrisLynch
HPE Pro

3 weeks ago

3 weeks ago

Re: Pentest findng regarding old jquery version on OneView 9.3

Often times, pen testing will find false positives, such as this.  While products like HPE OneView use a specific version that may include known vulernabilities, I can state that we have the necessary mitigations in place to ensure they are not exposed.  We do routine product scanning with well known industry tools to identify open source components that have known CVE's and assess the applicability of them.  For instance, jquery's known XSS vulnerabilities would require embedded code execution within the text string.  Our configuation of jquery enforce strick string processing, and always ensure text strings are forced to be string data type.  Which prevents injecting malicious code/scripts that would have in turn been executed.

Is there a specific CVE you are concerned about?

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
Reply
support_s
System Recommended

2 weeks ago

2 weeks ago

Query: Pentest findng regarding old jquery version on OneView 9.3

Hello,

 

Let us know if you were able to resolve the issue.

If you are satisfied with the answers then kindly click the "Accept As Solution" button for the most helpful response so that it is beneficial to all community members.

 

 

Please click on "Thumbs Up/Kudo" icon to give a "Kudo".


Accept or Kudo

0 Kudos
Reply
ThomasSch1
Occasional Advisor

2 weeks ago - last edited 2 weeks ago

2 weeks ago - last edited 2 weeks ago

Re: Pentest findng regarding old jquery version on OneView 9.3

Hi Chris,

in our case the pen testing was done by simply running $.fn.jquery in the dev tools console. I know that this is indeed a bit short-sighted and might/does not at all reflect the reality but as we work in a certain sector we do need some kind of proof or official statement/kb article for our risk management to close the issue.

If you have some official documentation or article concerning that topic I would gladly use it as a proof and will try to find out if your first answer in this topic might even be enough to declare it as a somewhat false positive since the version does match but the implementation does not pose a security threat.

If it helps I can as well open an official case to use as a proof.

 

Thanks in advance,

Thomas

0 Kudos
Reply
ChrisLynch
HPE Pro

2 weeks ago

2 weeks ago

Re: Pentest findng regarding old jquery version on OneView 9.3

I would need specific CVE's that you would need any answers to.  HPE's disclosure policy here is to report on impacted products solutions when a specific vulnerability has been reported, either directly to HPE (Hewlett Packard Enterprise Product Security Response Policy ) or a documented CVE.  For instance, the only server management solution that had an impacted and exposed version of JQuery was iLO Amplifier Pack, which we published an HPE Security Bulletin back in March 2021 (HPESBGN04108 rev.1 - HPE iLO Amplifier Pack, Remote Cross-Site Scripting (XSS) Vulnerability) We have reviewed a number of jquery CVE's and thus far have found none that are exposed by OneView.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
ThomasSch1
Occasional Advisor

2 weeks ago

2 weeks ago

Re: Pentest findng regarding old jquery version on OneView 9.3

Hi Chris,

I understand your point of view. Our pentesters just flag the jquery version as vulnerable and recommend an update which we cannot do regarding an appliance such as Oneview, which makes it hard on our side to close those findings. They do not list any given CVEs, because only the version was queried. I can only post CVEs generally listed for that version of 1.12.4 e.g. CVE-2020-11023 or CVE-2019-11358.

I will try to get some clarification from risk management. If no vulnerabilities have been identified on your side concerning OneView regarding that jquery version, that might be enough. Still it is somewhat of a chicken-and-egg situtation

Thanks for your support!

Greetings,

Thomas

 

 

0 Kudos
Reply
ChrisLynch
HPE Pro

2 weeks ago

2 weeks ago

Re: Pentest findng regarding old jquery version on OneView 9.3

I can tell you that none of those CVE's impact OneView.  And after further discussion with engineering, we already have the necessary CSS mitigations in place to ensure that code injection is not executed.  Essentialy, "OneView wraps calls to jquery to ensure that 'bad data' is not injected."

If there are other specific CVE's, we can help provide answers or input.  However, it is corporate disclosure policy that we only provide public disclosure statements in the form of Security Bulletins if products are impacted by CVE's or direct security vulnerability reports (all provided in the link I have above to an HPE Support Center document).

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.